infosec, privacy, tiktok 

TikTok has been reverse engineered, and found to be surveilling its users extensively, collecting data including clipboard contents, phone hardware, other installed apps, GPS data, and whether or not the phone is jailbroken.

All of this is hidden behind extensive obfuscation, and is remotely configurable.


@fox_news I read that earlier, and was like, how is that different than what any other app or website does or tries to do? And it isn't, really. What's creepy about TikTok is the extent (and expense! and expertise!) they put into the obfuscation, which I am told looks more like state actor than a company just trying to make money. If it was just greed, they would have cheaped out on the obfuscation (becuase that's not profitable).

@fox_news the original video in the comment linked reddit post is gone now :/

re: infosec, privacy, tiktok 


Tiktok is bad, not just because of the technical tracking, but the Employee guidelines.

Just from what I've heard, I don't have any *personal* evidence, but:
They give moderators "hotness" guidelines that specify what is and isn't attractive for humans, so they can promote the "hot kids" and hide the "ugly kids".

Kinda sounds like a pedophile thing.

If there's one thing that we've learnt from the immorality of Facebook, none of this will make anyone stop using Tiktok. At least, not enough people for it to matter.

TikTok is a data collection service that is thinly-veiled as a social network.

... If there is an API to get information on you, your contacts, or your device... well, they're using it.

Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
Other apps you have installed (I've even seen some I've deleted show up in their analytics payload - maybe using as cached value?)
Everything network-related (ip, local ip, router mac, your mac, wifi access point name)Whether or not you're rooted/jailbroken
Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds - this is enabled by default if you ever location-tag a post IIRCThey set up a local proxy server on your device for "transcoding media", but that can be abused very easily as it has zero authentication

The scariest part of all of this is that much of the logging they're doing is remotely configurable, and unless you reverse every single one of their native libraries (have fun reading all of that assembly, assuming you can get past their customized fork of OLLVM!!!) and manually inspect every single obfuscated function. They have several different protections in place to prevent you from reversing or debugging the app as well. ...

(Post is from 8 Apr 2020)


#tiktok #malware #spyware #surveillance #surveillanceCapitalism

re: tiktok is malware // 

re: last boost
buried the lede there 鈥 **ability to download zip and execute it** 鈥 it's literally a trojan.

I get why the #surveillanceCapitalism tag is there, but I think it's more likely this is surveillance鈥 whatever the fuck the CCP is. These aren't capabilities designed with profit in mind, these are designed to run attacks against global populations.

TikTok is what you build if you're a country worried about dissident students.

infosec, privacy, tiktok 

@fox_news this is one of those "i told you so" moments.

Sign in to participate in the conversation

Server run by the main developers of the project 馃悩 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!